Everything You Need to Know About the Texas Data Privacy and Security Act (TDPSA)

 

The Texas Data Privacy and Security Act (TDPSA), effective July 1st, 2024, has introduced comprehensive data privacy regulations to protect the personal data of Texas residents. 

The TDPSA affects businesses operating in Texas or dealing with the personal data of Texas residents. This blog post will cover everything you need to know about the TDPSA, focusing on its main implications for businesses of all sizes.

What is the TDPSA?

The TDPSA was originally enacted on June 18th, 2023, by Senator Giovanni Capriglione as a way to formalize comprehensive data privacy protections for Texas residents and to regulate how businesses collect, process, and secure personal data. With the law, Texas became the 10th state in the U.S. to authorize a comprehensive privacy law that protects resident consumers.

Texas heavily bases its privacy law on existing state regulations, mainly the Virginia Consumer Data Protection Act (VCDPA) and, to a slightly lesser extent, the California Consumer Privacy Act (CCPA). 

While the new regulations formally took effect on July 1st, 2024, businesses have a grace period of around 6 months (January 2025) to fully implement and comply with the key provisions outlined in the TDPSA. Each violation may result in a civil penalty of up to $7,500. This may add up quickly if an organization doesn’t take the necessary steps to ensure compliance.

The Main TDPSA Requirements

The Texas Data Privacy and Security Act (TDPSA) imposes several key requirements on businesses to ensure the protection of personal data and compliance with privacy standards. Here are some of the main requirements:

Data Subject Rights

  • Right to Access: Consumers can request access to their personal data.
  • Right to Correction: Consumers can request corrections to inaccurate personal data.
  • Right to Deletion: Consumers can request the deletion of their personal data.
  • Right to Data Portability: Consumers can receive their personal data in a portable format.
  • Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
  • Right to Non-Discrimination: Consumers cannot be discriminated against for exercising their privacy rights.

Transparency and Privacy Notices

Businesses must provide clear and accessible privacy notices that detail the categories of personal data collected, the purposes of data processing, how consumers can exercise their rights, and any data sharing practices with third parties.

Data Minimization

Businesses should collect only the personal data necessary for the specified purposes disclosed to consumers and must obtain consent before collecting additional data.

Security Safeguards and Breach Notifications

Businesses must adopt reasonable security measures, including technical, administrative, and physical safeguards, to protect personal data from unauthorized access, disclosure, or destruction. In the event of a data breach affecting more than 250 Texans, businesses must notify the Texas Attorney General within 30 days of discovery.

Consent for Sensitive Data

Businesses must obtain explicit consent from consumers before processing sensitive personal data. This includes data revealing racial or ethnic origin, religious beliefs, health conditions, sexual orientation, genetic or biometric data, and personal data of children under 13.

Global Opt-Out Mechanisms

By January 2025, businesses must recognize and honor universal opt-out signals, such as the Global Privacy Control (GPC), allowing consumers to opt out of data processing for targeted advertising and sales.

For more information, please refer to this official post from the website of the State Attorney General.

What it Means for Businesses

Businesses serving consumers in Texas must take this legislation seriously, as the fines can add up quickly even after a single incident.

Most importantly, companies will need to take a holistic approach to data management, ensuring that all personal data collected, processed, and stored is done so in compliance with the TDPSA. This includes:

  • Data Mapping: Understanding what personal data is collected, where it is stored, and how it is processed.
  • Data Minimization: Collecting only the necessary data required for business operations and ensuring it is retained only as long as needed.

Next, businesses will have to establish strict policies, procedures, and technical measures to ensure compliance with the Texas Privacy Law.

Under the Senate’s privacy bill, data controllers must:

  • Provide consumers with a privacy policy that explicitly states what types of data are being collected or processed and the data’s intended use
  • Include a statement in their privacy policy that says, “NOTICE: We may sell your sensitive data” if they intend to sell biometric or other sensitive data
  • Practice data minimization, avoid secondary uses of data not listed in the public privacy notice, and conduct periodic data protection assessments
  • Take reasonable measures to ensure de-identified data cannot be retraced to any individual or data subject
  • Authenticate consumer requests promptly

Collaborating with compliance experts may save time, reduce risks, and ensure thorough adherence to the law's requirements.

Who is Exempt from TDPSA Requirements?

Some businesses, including some limited liability partnerships (LLP), may be exempt from the TDPSA if they fall into one of the following general exemption categories:

  • Nonprofit Organizations
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)‍
  • Healthcare providers subject to the Health Insurance Portability and Accountability Act (HIPAA)‍
  • Higher education providers
  • Electric utility providers

Achieve Compliance With Defensible

Complying with stringent regulations like TDPSA is not easy. It requires organizational buy-in and the appropriate leadership structures to ensure comprehensive data privacy and security. This is where Defensible’s vCISO (Virtual Chief Information Security Officer) service can make a significant difference.

Our vCISO service provides expert guidance and support to help your organization navigate the complexities of the TDPSA and other data privacy regulations. Here’s how Defensible can assist you:

  • Regulatory Expertise

Our vCISOs are well-versed in the latest regulatory requirements and best practices for data privacy and security. They can help your organization interpret and implement the TDPSA's provisions effectively.

  • Data Protection Assessments

We conduct thorough data protection assessments to identify potential risks and vulnerabilities in your data handling practices. These assessments are critical for complying with the TDPSA’s requirement for regular evaluations of data processing activities.

  • Privacy Policy Development

Defensible assists in developing clear and comprehensive privacy policies that meet TDPSA standards. We ensure your privacy notices are transparent and accessible and provide all necessary disclosures to consumers.

To learn more, contact us now for a free, obligation-free consultation!